Employee Cybersecurity Training: Essential Tips for Protecting Your Company
Even with all the advancements in technology to defend against cybercriminals, it’s employees who are the first line of defense in protecting company data.
Technology can only go so far and cannot yet prevent human error. It’s always a person that clicks that link, opens that phishing email or downloads corrupted software.
This article will go over how to effectively implement cybersecurity training for your employees and the non-negotiables that should be included in your training plan.
How to Implement the Training
As with any training, it doesn’t matter how valuable the syllabus content is if it’s not delivered correctly. Without the right delivery in place, it won’t be taken on board and implemented effectively.
The fundamental goal of cybersecurity training is to make sure that all employees have a clear understanding of the importance of cybersecurity and the role they personally play in protecting their organization’s sensitive information.
Here’s exactly how to do that.
Implement Training From Day One: Cybercriminals Won’t Wait So Why Should You?
Here’s the thing, cybercriminals aren’t going to wait until your employees have been with the company for a few weeks before they target them.
So, why would you put any delay on starting their cybersecurity training?
Cybersecurity awareness should be implemented from day one, or at the very minimum before employees are granted access to software, valuable information, or emails.
Not to mention, new employees are the most vulnerable to cybersecurity breaches as they’re not familiar with their colleagues, customers, or suppliers yet. This means they’re not in a position yet to make an educated judgment as to what’s deemed normal or suspicious.
Make It Mandatory for All: You’re Only as Strong as Your Weakest Link
If there’s one thing that cybercriminals are good at, it’s exploiting weaknesses in a network.
This means that not including someone in the training because they only use their emails twice a month creates an exploitable weakness in the system. Nobody should be exempt from the training.
This is all about creating a culture that encourages everyone to take responsibility and not leave the responsibility solely on the IT team. This message should be woven throughout the training to all employees.
Regular Drills: Evaluate the Effectiveness of Your Organization’s Cybersecurity Training Program
Just like your scheduled fire evacuation drills, every company should have simulated cyber attack drills.
This is a Red Team-style test that requires individuals to play the role of an attacker by attempting to find, target, and exploit any cybersecurity weaknesses they find.
Phishing attacks are commonly used to scope how a company would hold up against a real cyber attack. These results can be used to
- Evaluate how the company performed as a whole
- Identify any particular employees or departments who performed badly
- Track performance over time by comparing historic and current results
- Steer the focus of future cybersecurity training
Basing new cybersecurity training on real-life data and events that employees have recently experienced is a great way to highlight the reality and severity of cyber threats, again reiterating the responsibility that every person in the organization must take for their cybersecurity.
Regular Training Sessions: Keep Employees Informed About the Latest Threats and Best Practices
Cybersecurity training is no one-and-done task. It should be ongoing and fluid with current trends, new procedures, and recent cybersecurity drills.
A simple monthly email just isn’t going to cut it for two reasons. One, it’ll likely get lost in the 100’s of emails that most employees receive every day.
And two, an email doesn’t portray the severity of the topic in question, it signals something that someone has thrown together quickly and sent to all.
Regular training should stand out to enforce the importance of the topic. For example, if a c-suite executive is allocating their time every month to training sessions and advocating for cybersecurity awareness, this signals to employees the severity of the topic versus a reminder email to be vigilant.
Make It Relatable: We Better Understand What We Can Relate To
If your cybersecurity training isn’t relatable, the importance of preventing data breaches just won’t sink in.
So how do you make it relatable?
There are two ways:
- Make it personal
- Follow current trends.
To make it personal, simply talk about protecting the individual’s personal computer or home network as well as protecting the company’s data.
Doing so makes employees more prone to pay attention and implement the best practices being taught as it’s in their best interest to protect their own safety and the safety of their family at home, rather than sole focus on the company’s systems and data.
Following recent trends also helps to keep training relatable, improve information retention, and the ultimate outcome of training sessions.
This can be achieved by talking about current events that have made it to the news – for example, the latest crypto or phishing scams, making the conversation relevant and relatable.
It gives the conversation context.
Create Clear Policies and Procedures: Drop the High-Level Tech Jargon
Policies and procedures should be clear, understandable, and accessible – no high-level technicalities that only the IT team can understand and not buried so deeply in the company records that only the IT team can find them.
These are the guidelines that people need to follow in their day-to-day activities or look to in the event of a security breach. They need to be understandable by all employees and accessible in an instant.
Accessible policies and guidelines at a minimum should be created for
- Web browsing
- Using mobile devices
- Handling of sensitive information
- Accessing company systems when out of office
As with training, your policies should be fluid and evolve with the company and changing cybersecurity risks, which means a regular review is essential.
Policy and guideline amendments can be triggered for a number of reasons. Results from simulated security attacks, general improvements to the company’s identity and access management strategy, or a rapid change in ways of working – for example working from home during a pandemic.
No matter what induced the updates, it’s vital that the amendments are followed up with the necessary education on the new way of doing things, with a structured module added to employee training plans.
What Training to Implement
Now we’ve covered some best practices to implement cybersecurity training within an organization, let’s go over some essentials for those training modules.
Outdated software can leave your business vulnerable to malware, viruses, and other security threats. Hackers take advantage of vulnerabilities created when devices are left out of date.
The importance of taking responsibility and keeping devices, software, and applications up to date should be expressed. Cybersecurity isn’t just for the IT team to take care of, it’s a culture that needs to be adopted, which means no waiting for IT to update individual workstations, employees should be doing this themselves.
Employees should be encouraged to take ownership of their cybersecurity in their day-to-day actions.
All it takes is one weak password to leave the door open for cybercriminals to gain access to company-wide data, including client and customer data.
80% of data breaches are linked to weak passwords which means it’s imperative to instill the importance of setting strong passwords in the workplace.
We have an entire article on password best practices that talks in detail about these eight factors:
- Use long passwords: The longer the better
- Never use personal information: No names, birthdays, or names of pets
- Swap letters with punctuation: Keep passwords safe even if they’re verbally breached
- Make deliberate spelling mistakes: Improve defenses against brute force attacks
- Keep passwords secure: Writing them down on paper is a big no-no
- Use unique passwords for different accounts: A breach to one account doesn’t mean a breach to all accounts
- Use a password manager: To help keep a record of all different passwords and accounts
- Use MFA (Multi-Factor Authentication) where possible: Make unwanted access even more secure than just using a singular password
Using Public Wi-Fi Networks
With the new age of remote working upon us, it’s vital that employees are trained on the security risks of using public networks.
More and more employees are often working on the road, in cafes, restaurants, and hotels. Education on the risks of public Wi-Fi networks needs to be addressed with adequate training.
Public Wi-Fi networks are often unsecured, giving cybercriminals the opportunity to position themselves between the user and the connection point. Effectively giving criminals access to every mouse click, keystroke and webpage a user accesses.
Having explicit training on accessing sensitive information whilst on a public network is essential. While facilitating the use of a VPN that encrypts data for any remote workers should also be a strong consideration, particularly in companies handling sensitive information.
Secure Home Networks
As with accessing public networks, training should be implemented for employees using their home networks to demonstrate best practices for improving network security.
Home network improvements include:
- Plugging computers directly into a router, rather than the modem
- Updating the default router password to a stronger one
- Changing the name of the network – if criminals know the manufacturer of the router, they may know the vulnerabilities
- Using a VPN
- Ensuring router firmware is up to date
Phishing Scam Awareness
Phishing is the act of someone pretending to be a reputable business or individual to either directly coerce a user into revealing valuable information like their credit card details and passwords or plant malicious software on the user’s infrastructure.
Training on the different types of phishing scams, the risks of falling victim to phishing scams, and how to identify phishing scams are critical to any cybersecurity training.
Protecting Devices With a Lock Screen Password
This section of training seems like a bit of a no-brainer but all too often employees leave their desks with their computer screens unlocked, allowing anyone in the room to access their computers.
Lock screens expand further than just work computers and laptops, it includes the use of other work devices such as mobile phones and tablets.
If employees have information or company emails on their work or personal mobile phones, it should be mandatory for them to have a secure pin that locks their devices and training needs to reflect why this is so important.
A policy of ensuring your devices are locked at all times when not in use can be seen as rudimentary, but is a critical part of cybersecurity.
As with setting strong passwords, pins should be strong. No 1234, 1111, 0000, birthdays, or wedding anniversaries, and touchID or faceID is recommended whenever it’s available.
Social Engineering Tactics
Social engineering is the use of psychological manipulation to coerce the victim into giving up sensitive information or taking actions that compromise their security and the security of their company network.
Attackers may use a variety of tactics in an attempt to trick people, including posing as a trustworthy person or organization, creating a sense of urgency, exploiting emotions, or using personal information found online to gain the victim’s trust.
Training on social engineering should bring light to the importance of what is shared on social media by asking “Can this piece of social media content be used against me?”.
Ensuring that privacy settings are reviewed regularly is another best practice to cover in this area.
By bringing awareness to the common signs of social engineering such as emails from untrusted sources, offers that appear too good to be true, and if something in an email just doesn’t feel right, it empowers employees to think carefully before they act on any requests for information or action.
For more cybersecurity best practices, check out our 9 essential identity and access management tips.